Sourcehut SSH
The Sourcehut approach for SSH-accessible repositories is to insert an authentication dispatch into the host's sshd(8) configuration.
Contents
Setup
In /etc/ssh/sshd_config, set:
AuthorizedKeysCommand=/usr/bin/gitsrht-dispatch "%u" "%h" "%t" "%k" AuthorizedKeysCommandUser=root PermitUserEnvironment SRHT_*
A git user is created automatically by installing the git.sr.ht package, but an additional step of setting a login password for that user is necessary.
sudo passwd git
configuration
The relevant configuration is found in the git.sr.ht::dispatch section of the Sourcehut configuration.
[git.sr.ht::dispatch] /usr/bin/gitsrht-keys=git:git /usr/bin/buildsrht-keys=builds:builds
This should work out of the box, but additional authentication stacks can be inserted here.
Design
When a user pulls from (or pushes to) [email protected]:~username/reponame, gitsrht-dispatch (set in sshd_config as the AuthorizedKeysCommand) will parse the git.sr.ht::dispatch section of the Sourcehut configuration. This process runs as root.
The right-hand side is the uid-gid pair that gitsrht-dispatch will watch for, and the left-hand side is a binary that will be dispatched to. If no dispatcher matches, gitsrht-dispatch looks up the user's authorized_users file, to ensure that normal SSH access is uninterrupted.
Assuming the user is git, the authentication is dispatched to gitsrht-keys. This program generates a virtual authorized_users file that will be returned to the sshd(8) process.
The virtual authorized_users file is based on the Sourcehut database of SSH keys, and includes the keys of all users who should have access to the corresponding repository. Both the SSH keys and repository-level access controls are managed in the web UI.
Note that the git user is made to login using gitsrht-shell. This shell program wants to log to /var/log/gitsrht-shell despite running as git, so ownership or access levels need to be adjusted for that file.